EPIC v. DHS (Media Monitoring Services)

EPIC v. DHS, No. 18-1268 (D.D.C. filed May 30, 2018), is a lawsuit to obtain records about—and to block the development of—a Department of Homeland Security system designed to monitor journalists. In April of 2018, the DHS began seeking a contractor to develop "Media Monitoring Services" (MMS), a suite of digital tools that would continuously track and analyze media coverage and store large volumes of personally identifiable information about journalists, bloggers, and social media users. The system would collect and retain personal data such "locations, contact information, employer affiliations, and past coverage."

The DHS's proposed media monitoring tools pose significant risks to privacy and threaten to chill the exercise of press freedoms. Within days of the agency's announcement, EPIC filed a Freedom of Information Act request seeking the Privacy Impact Assessment that the DHS was required by law to produce before developing any monitoring tools. When the agency failed to process EPIC's request, EPIC filed suit on May 30, 2018. In response to EPIC's lawsuit, the DHS admitted that it had not, in fact, conducted a Privacy Impact Assessment. The DHS also disclosed records to EPIC showing that the agency bypassed its own privacy officials and ignored the privacy and First Amendment threats posed by the Media Monitoring Services program. EPIC's case is ongoing.

Top News

EPIC to DHS Privacy Advisory Committee: End Facial Recognition: In response to a public notice by the Data Privacy and Integrity Advisory Committee, EPIC submitted comments urging the CBP to halt implementation of the biometric border program. EPIC stressed the need for federal regulation to safeguard privacy and prevent the misuse of facial recognition technology. EPIC called for a public rulemaking for the federal entry/exit program. EPIC also criticized the Committee's draft recommendations for facial recognition. EPIC said that the transfer of personal data from the State Department to the CBP was unlawful and that the opt-opt procedures were ignored in practice. Documents EPIC previously obtained in a FOIA lawsuit against CBP revealed that facial scanning did not perform operational matching at a "satisfactory" level. (Dec. 6, 2018)

Contrary to DHS Policy and Prior Statements, ICE Seeks NC State Voter Data: Immigration and Customs Enforcement has demanded that North Carolina provide over 18 million voter records from the past eight years. The subpoena is outside the Department of Homeland Security authority and goes against testimony by DHS Secretary Kirstjen Nielsen, who told Congress this year that DHS’s role is limited to voluntary requests for assistance from the states. Nielsen also wrote, in records obtained through an EPIC FOIA request, that associating the DHS with voter data collection “could disrupt critical efforts” to work with state officials on election cybersecurity. EPIC has long fought to ensure voter privacy and recently forced the defunct Presidential Election Commission to delete millions of state voter records unlawfully obtained. (Sep. 6, 2018)

In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions that would reduce privacy safeguards in the federal government. The Immigration Biometric and Background Check database will contain personal data on U.S. and non-U.S. citizens. DHS has proposed to exempt the database from several Privacy Act protections, including ensuring that records are accurate, timely, and complete. DHS also claims numerous “routine uses” that allow the agency to disseminate the data to law enforcement and intelligence agencies. EPIC has urged strict compliance with Privacy Act obligations and warned that inaccurate, insecure, and overbroad government databases threaten both privacy and national security.

EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year.

EPIC has filed a Freedom of Information Act lawsuit to obtain a Privacy Impact Assessment for "Media Monitoring Services," a controversial new database proposed by the Department of Homeland Security. In April, the DHS announced a system to track journalists and "media influencers" and to monitor hundreds of thousands of news outlets and social media accounts. Although the system is designed to monitor journalists, the federal agency failed to conduct a Privacy Impact Assessment as required by law. EPIC submitted a request for Assessment but the agency did not respond. EPIC has successfully obtained several Privacy Impact Assessments, including a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to collection of state voter data.

In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports.

EPIC has submitted a Freedom of Information Act request to the Department of Homeland Security seeking Privacy Impact Assessments and other records related to the solicitation for "media monitoring services." The DHS posted a solicitation to compile a database of journalists and "media influencers," including bloggers and social media influencers. The DHS is seeking to identify journalists based on their beat, publication, contact information, and articles published. Agency officials plan to search lists and analyze news coverage. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that contains personally identifiable information. In a prior FOIA lawsuit, EPIC obtained Privacy Impact Assessments from the FBI that were not publicly available. And in EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year.

EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain the public release of information about the use of drones for domestic surveillance. EPIC cited a Presidential Memorandum that required all federal agencies to prepare public reports on drone deployment. EPIC's lawsuit charges that the DHS has failed to make these reports public. In a previous lawsuit against the DHS, EPIC obtained records which revealed that DHS drones had the capability to intercept electronic communications and identity humans at a distance. EPIC has also brought a lawsuit against the FAA to establish drone privacy regulations in the United States.

In a statement to Congress in advance of a hearing on the Department of Defense's cyber operations, EPIC urged lawmakers to consider the privacy impact of cyber policies. The Cybersecurity Information Sharing Act of 2015 allowed the federal government to obtain cyber threat information from the private sector—much of which concerns the activities of individual Internet users—without privacy safeguards. EPIC urged Congress to ask Michael Rogers, the Commander of U.S. Cyber Command, about the steps the Defense Department will take to reduce privacy risks. EPIC previously sued the federal government for information regarding a Department of Homeland Security program that allowed the NSA to monitor the Internet traffic of defense contractors.

The Presidential Election Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded Wednesday by President Trump. The Commission had faced an ongoing lawsuit by EPIC over its failure to conduct and publish a Privacy Impact Assessment before collecting personal data, as required by law. EPIC’s lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission’s efforts to collect state voter data. In a statement, the President said that he had asked the Department of Homeland Security “to determine next courses of action.” EPIC has a pending Freedom of Information Act request to the DHS for records concerning the federal government’s collection of personal data on voters. EPIC’s case against the Commission, which remains open, is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.).

Today Congress considered the nomination of Kirstjen M. Nielsen as Secretary at the Department of Homeland Security. Ms. Nielsen opposes a border wall but suggested an expansion of border surveillance. "Technology, as you know, plays a key part, and we can't forget it," she said. EPIC is pursuing a FOIA request regarding the use of DHS drones for border surveillance. Earlier EPIC cases - including EPIC v. DHS which led to the removal of x-ray body scanners in US airports - revealed that technologies for border surveillance invariably impact the privacy rights of Americans. Ms. Nielsen views on the use of DACA applicant data for enforcement remains unclear. EPIC recently warned that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals.

In comments to the Department of Homeland Security, EPIC opposed a plan to add social media information to the official files of all immigrants. EPIC said the DHS proposal threatens First Amendment rights, risked abuse, and would disproportionately impact minority groups. A coalition of organizations also submitted comments to express concern about the proposal. EPIC previously opposed a Customs and Border Protection proposal to collect social media identifiers from visa applicants. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country.

EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain records related to Russian interference in the 2016 U.S. Presidential Election. Earlier this year, the DHS has designated state election systems as critical infrastructure and published a Joint Analysis Report acknowledging Russian interference with U.S. election systems. However, DHS has not provided any significant new information to the American public about the extent of the Russian interference. EPIC now seeks disclosure of the agency's "research, integration, analysis" related to the scope of Russian interference. EPIC's FOIA lawsuit follows H.Res. 235, a bill sponsored by Rep. Thompson (D-MS) that would have directed the DHS to provide this information to Congress, but was blocked by the House Homeland Security Committee. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records).

In a statement to Congress, EPIC told members of the Senate Judiciary Committee to press the nominee for FBI Director, Christopher Wray, on his views of FBI databases and domestic surveillance programs. EPIC again expressed concern about the size and scope of the FBI's Next Generation Identification system which stores personal and biometric information on millions of individuals. EPIC also expressed concern over the FBI's failure to issue timely privacy impact assessments, lack of transparency on drone use, and plans to monitor social media. EPIC urged the Committee to obtain the nominee's views on these matters and to ensure his commitment to protect privacy and ensure transparency at the FBI.

In comments to the Department of Homeland Security, EPIC urged the agency to withdrawproposed Privacy Act exemptions. The FALCON database contains detailed personal information on ICE and CBP employees, and individuals associated with ICE investigations including victims and witnesses. For this government database, DHS has proposed to exempt itself from several Privacy Act protections including ensuring that the records are accurate, timely, and complete. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. The FBI recently postponed an "Insider Threat" database that also lacked adequate Privacy Act safeguards.

EPIC has joined the Fly Don't Spy! campaign to urge DHS Secretary Kelly to reject plans to require to hand over passwords to the federal government. Such a requirement would undermine privacy and human rights, chill freedom of speech and association, and create greater security risks for travelers. Earlier this year, Secretary Kelly testified before Congress about collecting social media passwords. In response, EPIC immediately filed a Freedom of Information Act request regarding all DHS plans to use individuals' internet and social media information to vet potential entrants to the U.S.

In a letter to the House Judiciary Committee for an oversight hearing, EPIC highlighted civil liberties problems with DEA programs. In 2014, EPIC sued the DEA for information about the agency's Hemisphere program, a massive telephone record database. More recently, EPIC prevailed in a FOIA lawsuit that revealed the DEA's failure to conduct privacy assessments required by law, for the agency's license plate scanning program. In the letter EPIC urged the Committee to investigate the Hemisphere program and determine whether the agency will complete privacy impact statements for agency programs as required by law.

EPIC has submitted an urgent Freedom of Information Act request for DHS's review of the Russian Interference with the presidential election. The EPIC FOIA request follows House Resolution 235, sponsored by Rep. Bennie Thompson (D-MS), which would direct the Secretary of Homeland Security to transmit DHS's documents related to Russian interference to the House of Representative. EPIC is now pursuing public release of the same records, and has notified Chairman Jason Chaffetz (R-UT) and Ranking Member Cummings (D-MD), of the House Oversight Committee of the pending FOIA request. Earlier this week, EPIC argued "the public has the right to know" about the extent of Russian interference with the 2016 election.

EPIC has submitted a Freedom of Information Act request to the TSA seeking information on the recently announcedban on electronics on flights bound for the United States. The ban applies to ten airports in eight majority Muslim countries. EPIC is seeking documents related to the reasons for implementing the ban as well as documentation on TSA policies and procedures for searching electronics in checked luggage. EPIC regularly submits FOIA requests to government agencies and is also seeking information on eye scans conducted at US airports on US travelers. In EPIC v. DHS, EPIC is challenging the TSA's efforts to mandate airport body scanners.

In celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2017 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2016, EPIC obtained records detailing a Customs and Border Protection data mining program used to build "risk" profiles on travelers, unveiled two years' worth of statistical data showing the FBI's growing biometric identification program, and revealed the DEA's failure to conduct legally mandated privacy assessments in EPIC v. DEA. In the latest FOIA Gallery, EPIC also highlights twonew FOIA lawsuits to uncover details of the Russian interference in the 2016 election case concerning electronic surveillance report, and the launch of EPIC's new course teaching the basics of the federal FOIA.

The Justice Department's Office of Information Policy has released the 2016 Freedom of Information Act Litigation and Compliance Report. The report describes the DOJ's efforts in 2016 to ensure compliance with the open government law across the federal government, from issuing policy guidance to holding FOIA trainings. The agency also issued a list of FOIA cases where a court decision was rendered in 2016 and the amount of fees awarded by the court. EPIC tied for second (with the ACLU), behind the Public Employees for Environmental Responsibility, as the most successful FOIA litigator in the country, receiving court-ordered fee awards in three cases in 2016. In 2017, EPIC has already prevailed in a FOIA case against the FBI for public release of the agency's privacy assessments. Fees are anticipated in that case. For more information about EPIC's open government work, visit: https://epic.org/open_gov/.

EPIC has filed an urgent FOIA request with U.S. Customs and Border Protection for details of eye scans conducted on U.S. citizens traveling internationally. The CBP has long been testing biometric identification of travelers, including U.S. citizens, and a recent report indicates U.S. citizens were subject to eye scans before traveling abroad. EPIC seeks public disclosure of the details of CBP policies for scanning U.S. citizen irises and retinas upon entry or exit to the U.S. EPIC makes frequent use of the Freedom of Information Act. As the result of a FOIA lawsuit, EPIC recently obtained several memorandum of understanding regarding the transfer of biometric identifiers between the FBI and DOD. Last month, EPIC also prevailed in EPIC v. FBI, a FOIA lawsuit public release of the FBI's privacy assessments.

In comments to Office of Government Information Services, EPIC and a coalition of open government groups urged greater transparency for dispute resolutions. The coalition wrote that a proposed rule "would impose restrictive confidentiality requirements." The coalition proposed revisions that "do not place restrictive confidentiality requirements on requesters" who use dispute resolution services. EPIC routinely advocates on behalf of open government and transparency. Earlier this month, EPIC and a coalition called on the Office of Management and Budget to preserve public access to online government information. EPIC also recently prevailed in EPIC v. FBI, a Freedom of Information Act lawsuit for public release of the FBI's privacy assessments.

As a result of a Freedom of Information Act request, EPIC has obtained over650pages about DHS's immigration enforcement priorities. The documents detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement. EPIC recently submitted two new urgent FOIA requests to DHS, the first about DHS plans to step up social media monitoring and a second to reveal the agency's compliance with recent immigration court orders. This week, EPIC also prevailed in a FOIA lawsuit for public release of privacy assessments the FBI is required to prepare.

EPIC has prevailed in EPIC v. FBI, a case involving a Freedom of Information Act request for privacy assessments the FBI is required to prepare. EPIC sued the Federal Bureau of Investigation after the agency failed to respond to EPIC's FOIA request for the assessments. EPIC subsequently challenged the adequacy of the agency's search for responsive documents and the FBI's claim that record could be withheld pursuant to "Exemption 7(E)," which concerns law enforcement "techniques and procedures." Today, the federal judge concluded that "the FBI neither adequately described its search nor properly justified its withholdings of information under FOIA exemption 7(E)." The Court ordered the FBI to supplement the record to address the inadequacy of the agency's search and the basis for the Exemption 7(E) claims.

A coalition of human rights groups is urging the UN to investigate reports that the US is demanding entrants provide access to their cell phones and social media accounts. "These practices persist in violation of the United States human rights treaty obligations and your action is needed to hold the government accountable," the group stated in a letter to the the UN High Commissioner on Human rights and other UN offices. EPIC recently submitted an urgent request for disclosure of DHS plans to step up social media monitoring, and previously prevailed in a lawsuit against the agency to reveal records of its monitoring programs. EPIC's Privacy Law Sourcebook 2016, available in the EPIC bookstore, provides an overview of privacy frameworks around the world and tracks emerging privacy challenges.

In a letter to DHS Secretary Kelly, Senator Markey (D-MA) and five other Senators pressed DHS about the impact of an Executive Order limiting federal Privacy Act protections. "These Privacy Act exclusions could have a devastating impact on immigrant communities and would be inconsistent with the commitments made when the government collected much of this information," the Senators contended. The Senators also called on Secretary Kelly to explain the Order's impact on international commitments that permit U.S. firms to obtain access to the data of European consumers. EPIC is participating in Data Protection Commissioner v. Facebook, a case which follows a landmark decision that found insufficient legal protections for the transfer of European consumer data to the United States.

EPIC has submitted an urgent FOIA request to the Department of Homeland Security about aerial surveillance, social media monitoring and ID theft following statements made by DHS Secretary John Kelly in a Congressional hearing on Homeland Security. The Secretary described plans to expand the use of "aerostats" (surveillance blimps) and monitoring of social media. The Secretary also stated that he has been a victim of data breach. The EPIC FOIA request follows earlier cases brought by EPIC which revealed efforts by the DHS to expand aerial surveillance within the United States, develop techniques for "pre-crime" detection, interrupt Internet service, as well as the impermissible monitoring of social media services and news organizations.

EPIC has filed an urgent FOIA request with the Department for Homeland Security for further information about a DHS press release on "Compliance With Court Orders And The President's Executive Order." The DHS Press Release follows an Executive Order on entry to the United States and a series of court decisions suspending the Order. EPIC is now seeking details about the DHS's activities, including communications with other agencies, communications with airlines, and legal memos supporting the agency's actions. The Inspector General of DHS also announced an investigation to review "allegations of individual misconduct on the part of DHS personnel." EPIC cited both an "urgency to inform the public" and "exceptional media interest" in questions about the "government's integrity" in support of the request for expedited processing. EPIC will continue to press the DHS for prompt release of the documents sought. More information about EPIC's FOIA work is available on the FOIA Case page.

EPIC has filed an urgent FOIA request with the DHS, the Department of Justice, and the NSA, seeking the expedited release of NSPD-1. The National Security Presidential Directive sets out procedures for cybersecurity "policy coordination, guidance, dispute resolution, and periodic in-progress review." EPIC has previously litigated, and successfully obtained, NSPD-54, a Presidential Directive concerning the NSA's authority to conduct surveillance within the United States.

In the latest government data breach, the Navy reported that a hacker gathered the personal data of more than 130,000 current and former sailors from a laptop that belonged to a government contractor. Government securityvulnerabilities are on the rise. In 2015, the records of more than 21 million federal workers, friends and family members were breached. In 2016, EPIC urged candidates for office to focus on "data protection." EPIC has warned that inaccurate, insecure, and overbroad government databases pose a risks to the safety of Americans. Earlier this year, EPIC urged the Dept. of Defense and Dept. of Homeland Security to drop proposals to expand government databases that lacked adequate privacy safeguards.

The Department of Homeland Security has released revised Freedom of Information Act regulations. EPIC submitted extensive comments on the proposed changes to the agency's open government practices. The DHS agreed to make some changes, recommended by EPIC, that should improve the processing of FOIA requests. The agency maintained a broad definition of "educational institutions" so that individual researchers will be able to access government records at minimal cost, and clarified steps that could be taken to delay "administrative closure," a controversial agency practice. The agency disagreed with EPIC about agency referrals, the definition of "commercial interest," and the routine release of public information to general public.

In response to an EPIC FOIA lawsuit, EPIC has learned that the Drug Enforcement Administration never completed privacy impact assessments for the agency's massive license plate reader program, a telecommunications records database, and other systems of public surveillance. Despite a federal judge instructing the agency to search for records in response to the FOIA lawsuit, the DEA failed to produce the privacy assessments required by law. The outcome of EPIC v. DEA raises questions about the privacy review of the agency systems funded by Congress. EPIC is currently litigating a similar lawsuit against the FBI.

In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program.

In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program.

In response to a letter from EPIC and open government advocates, the FOIA ombudsman has issued the first part of a report on the use of "still interested" letters by federal agencies. The DHS and other agencies have sent these letters to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. In today's report, OGIS found that there is no "guidance or standard for reporting requests that agencies close" through "still interested" letters, and that it does not yet understand the impact such letters have on FOIA requesters.

In response to an EPIC FOIA request, the Transportation Security Administration has released a document describing the technical capabilities of the airport body scanners. EPIC previously obtained documents from TSA revealing that body scanners can record, store, and transmit digital strip search images of airline passengers. Last month, the TSA issued a regulation on airport body scanners, nearly five years after a federal appeals court ordered the agency to "promptly” undertake a rule making. In 2011, EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. Despite public comments that overwhelmingly favor less invasive security screenings, the TSA plans to use invasive body scanners at US airports. The TSA also said it may mandate airport body scanners, even though the agency previously told the D.C. Circuit that the body scanner program was optional and the federal appeals court upheld the program, relying on the agency’s statements.

Most federal agencies, including the Department of Homeland Security, have now published the 2016 FOIA Reports. These annual reports, required by former Attorney General Holder's 2009 FOIA Memo, describe each agency's compliance with the FOIA, including steps to taken to improve processing and promote openness. The federal FOIA ombudsman is currently investigating the practices of six DHS component agencies in response to a 2015 letter from EPIC and open government advocates. EPIC and other have recently urged the President to support bipartisan legislation aimed at improving the FOIA.

EPIC submitted comments to DHS urging the agency to improve transparency and privacy protections for the controversial Terrorist Screening Database that is used for Watchlist programs, such as the No Fly List, containing information that is often inaccurate and incomplete. The agency solicited comments on a proposal to remove Privacy Act safeguards while simultaneously expanding data collection and distributing data more widely across the DHS. EPIC and many other organization opposed the establishment of the Screening Database and called for the suspension pending a full review of the privacy and security implications. EPIC has testified before Congress about the risks of the Watchlist program.

In comments to the DHS, EPIC criticized a proposal to collect detailed records on people traveling by boat. The DHS is planning to track people arriving and departing the United States by sea, including between ports within the United States. However, DHS will ignore Privacy Act protections, and make the data collected routinely available to private companies and foreign governments. The proposal, explained EPIC, would "create a massive government database of detailed personal information that lacks accountability." EPIC has opposed other boat surveillance programs. And a FOIA case pursued by EPIC about a controversial boater tracking program revealed that the DHS fuses tracking data with other intelligence data to develop detailed profiles on boaters.

According to reports and statements from former Homeland Security officials, the DHS has initiated three "pilot programs" to analyze social media posts during the visa review process. Prior to 2014, a DHS policy prohibited social media monitoring by immigration officials. EPIC successfully obtained documents in 2012 detailing the DHS social media monitoring policies, including instructions to analysts to monitor criticism of the agency. EPIC also submitted a letter to congressional leaders, outlining how DHS officials misrepresented their policies in a Homeland Security Committee hearing. EPIC wrote that the DHS' monitoring program should be suspended, as it exceeds the agency's statutory authority and chills First Amendment activity.

EPIC has sued the U.S. Coast Guard and the Department of Homeland Security to obtain information on a federal government program to track and record the location of boaters. According to EPIC, the DHS intends to transfer the data from the Nationwide Automatic Identification System to federal and state agencies, as well as foreign governments. "The NAIS program exceeds the stated purpose of marine safety and constitutes an ongoing risk to the privacy and civil liberties of mariners across the United States," wrote EPIC in the FOIA lawsuit. The boating community has expressed concern over the tracking program. A previous FOIA request from EPIC to the agency went unanswered. Press Release - EPIC v. CG, DHS, No, 15-1527.

The federal FOIA ombudsman has informed EPIC that it is investigating the FOIA practices of six DHS component agencies. In 2014, EPIC and a dozen open government organizations urged the Office of Government Information Services to investigate the impermissible closures of FOIA requests. Through "still interested" letters, some federal agencies notify FOIA requesters that unprocessed requests will be closed by the agency if there is no further communication. EPIC and the open government groups object to the practice and reminded OGIS that "no provision in the [FOIA] allows for administrative closures." An earlier EPIC letter to OGIS led to a reduction of fee payments for FOIA requesters.

In EPIC v. DHS, a federal district court ruled that the Department of Homeland Security failed to justify withholding documents subject to the Freedom of Information Act. EPIC sued DHS to compel the disclosure of records relating to a cybersecurity program designed to monitor traffic flowing through ISPs to a select number of defense contractors. The court concluded that the agency's argument relied on "a weak assumption," but will allow the agency to submit a revised justification for withholding the records. EPIC previously won a five-year legal battle to release NSPD-54, the foundational legal document for U.S. cybersecurity policies.

EPIC has filed a Freedom of Information Act lawsuit to obtain details about the Drug Enforcement Administration’s surveillance programs. The agency is required to publish privacy impact assessments for its data collection programs. However, the agency has failed to make available privacy impact assessments for many of its programs, including the massive cell phone metadata program "Hemisphere" and a nationwide license plate reader program. EPIC has a related lawsuit against the Federal Bureau of Investigation for that agency’s privacy impact assessments for several programs including "Next Generation Identification."

The federal appeals court in Washington, DC, has ordered DHS to respond to EPIC's petition to reconsider a recent decision allowing the federal agency to withhold the criteria for shutdown of cell phone networks. EPIC sued the DHS for the policy following a 2011 San Francisco BART incident, when government officials shut down cell phone service during a peaceful protest. EPIC argued that the recent decision would "create an untethered national security exemption for law enforcement agencies," and is contrary to other court decisions and the intent of Congress. The appeals court has determined that the government must respond to EPIC's petition.

Today EPIC filed a Petition in the federals appeal court in Washington, D.C., seeking review of a recent opinion allowing DHS to withhold the criteria to shutdown cell phone networks. EPIC sued the agency for the shutdown policy following a 2011 San Francisco BART incident, where government officials shut down cell phone service during a peaceful protest. In its Petition, EPIC argued that the recent decision would "create an untethered national security exemption for law enforcement agencies," and is contrary to other court decisions and the intent of Congress.

The federal court of appeals based in Washington, DC has ruled that the Department of Homeland Security may withhold from the public a secret procedure for shutting down cell phone service. EPIC pursued the DHS policy after government officials in San Francisco disabled cell phone service during a peaceful protest in 2011. EPIC sued DHS when the agency failed to release the criteria for network shutdowns. A federal judge ruled in EPIC's favor. On appeal, the D.C. Circuit held for the DHS but said that the agency might still be required to disclose some portions of the protocol.

The Department of Homeland Security Quarterly Report to Congress details programs and databases affecting privacy. According to the agency, DHS received 964 privacy complaints between September 1, 2013 and November 30, 2013. By contrast, DHS received 295 privacy complaints during the same period in 2011. According to the report, most DHS systems complies with Privacy Act notice requirements. However, the report also indicates that the DHS maintains many databases with personally identifiable information that lack required Privacy Act notices. For more information, see EPIC: Department of Homeland Security Chief Privacy Office and Privacy.

EPIC has submitted comments to the Department of Homeland Security, objecting to the agency's plan to secretly profile U.S. air travelers and remove Privacy Act safeguards. The DHS proposed to exempt TSA PreCheck from the federal privacy law. The PreCheck database contains detailed personal information, including name, birthdate, biometric information, Social Security Number, and financial information. The TSA plans to release applicant data to federal, state, tribal, local, territorial agencies and foreign governments. However, the TSA proposes to remove the rights of PreCheck applications concerning notification, access, and correction. The agency also intends to keep secret the basis for approving PreCheck applicants. EPIC described the substantial privacy and security risks of Precheck, urged the DHS to narrow the Privacy Act exemptions, and recommended that the DHS withdraw routine use disclosures. For more information, see EPIC: Secure Flight, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy.

EPIC has submitted comments to the Department of Homeland Security, staunchly opposing the agency's border biometric collection, facilitated through the Office of Biometric Identity Management program. Since at least 2004, DHS has collected fingerprint and facial photos from individuals entering the United States. DHS then disseminates this information to DHS agency components, other federal agencies, and "federal, state, and local law enforcement agencies," and the "federal intelligence community." Currently, at least 30,000 individuals from federal, state, and local governments access the data contained obtained by DHS's biometric collection program. DHS shares this biometric data with foreign governments, including Canada, Australia, and the United Kingdom. In its comments, EPIC urged the agency to cease collecting biometric information without proper privacy safeguards in place. Should the agency continue to collect this sensitive information, EPIC recommends that DHS: (1) impose strict information security safeguards on its biometric information collection and limit its dissemination of biometric information; (2) conduct a comprehensive privacy impact assessment on the biometric collection program; (3) grant individuals Privacy Act rights before collecting additional biometric information; and (4) adhere to international privacy standards. For more information, see EPIC: US-VISIT and EPIC: Biometric Identifiers.

A federal judge has vacated provisions in a prior order that would have limited the ability of FOIA requesters to disseminate information to the public. EPIC filed a Freedom of Information Act lawsuit against the Department of Homeland Security after the agency failed to respond to a request for documents about a plan to monitor internet traffic. In arguments before the court, the Department of Justice contended that EPIC should agree to a protective order that would prevent EPIC from disclosing documents obtained in the case. EPIC challenged this argument, stating that it was contrary to FOIA law and that the use of protective orders in FOIA cases would make it more difficult for the public to obtain information about government activities. Judge Kessler agreed with EPIC and discarded the protective order requirement. She also chastised the agency for its repeated delays in processing EPIC's FOIA request. The case is EPIC v. DHS, 12-333. For more information see: EPIC v. DHS - Defense Contractor Monitoring.

The Department of Homeland Security released the 2012 Privacy Office Annual Report to Congress. The report describes a social media monitoring policy, and privacy training for fusion centers personnel. According to the report, the TSA has still failed to adopt privacy safeguards for whole body image devices. The report is silent on several new DHS-funded initiatives, including the Future Attribute Screening Technology, a Minority-Report like proposal for "pre-crime" detection. The report also notes the expansion of the National Counterterrorism Center's five-year retention policy for records on U.S. Persons that do not contain terrorism information. The Chief Privacy Officer of the DHS is required by law to ensure that new agency programs do not diminish privacy in the United States. For more information, see EPIC: Privacy Report Held Hostage.

The Department of Homeland Security has issued a Privacy Act system of records notice for the E-Verify Program. E-Verify is a government records system that informs employers about the citizenship status of current and prospective employees. The database contains detailed personal information including names, dates of birth, Social Security numbers, and citizenship status for all individuals subject to review. This Privacy Act notice minimizes the information that the agency will collect, and also limits the agency's ability to disclose personal information to outside entities. Last year EPIC, along with a coalition of privacy, consumer rights, and civil rights organizations, encouraged DHS to strengthen privacy and security safeguards for E-Verify. For more information, see EPIC: E-Verify and Privacy.

The Department of Homeland Security has proposed to exempt its "Automated Targeting System" from certain Privacy Act provisions. The Automated Targeting System creates "risk-based" profiles of individuals traveling to, from, and throughout the United States. The profile contains a plethora of personal data, including, nationality, race, occupation, and biometrics. The System accesses and "ingests" this information from many sources, including government databases and commercial data aggregators. The DHS issued a Privacy Impact Assessment, which describes some of the privacy risks, including unauthorized access. In detailed comments to DHS in 2007, EPIC opposed the use of "risk-based" profiles. For more information, see EPIC: Automated Targeting System.

EPIC has submitted a letter to the Office of Government Information Services, asking for an investigation into FOIA practices at the Department of Homeland Security. EPIC explained that the federal agency, which includes the TSA and the Bureau of Customs and Border Protection, routinely denies fee waivers in circumstances where the agency knows that the requester properly qualifies. By way of example, EPIC cited a recent FOIA appeal in which the agency wrongly denied a fee waiver request. EPIC said that the practice creates additional work for sophisticated FOIA requesters and may, as a practical matter, prevent other requesters from pursuing important FOIA requests. For more information, see EPIC: DHS Privacy Office and EPIC: Litigation Under the Federal Open Government Laws.

The Department of Homeland Security has published a Privacy Impact Assessment Update for Secure Flight, a DHS program that compares airline passenger records with various watch lists. The assessment describes the agency's plans to expand the Known Traveler program so as to expedite airline screening for certain categories of individuals. The DHS also intends to incorporate into Secure Flight the Automated Targeting System, a controversial program that allows the government to assign a risk assessment number to individual travelers. That number provides the basis for further screening. In 2007, EPIC urged DHS to either suspend the Automated Targeting System or to fully apply all Privacy Act safeguards to any individual subject to ATS. In 2010, EPIC advocated for stronger privacy protections of DHS trusted traveler programs that compare passenger names against watch lists. For more information, see EPIC: Secure Flight and EPIC: Automated Targeting Systems.

Both the House and the Senate introduced bills last month that would require the Department of Homeland Security "to contract with an independent laboratory to study the health effects of backscatter x-ray machines used at airline checkpoints operated by the Transportation Security Administration," and to provide improved notice of the health effects to airline passengers. The bills focus on the health effects of those screened by the backscatter x-ray machines, including frequent air travelers, flight crews, and individuals with greater sensitivity to radiation, such as children, pregnant women, the elderly, and cancer patients. In 2010, EPIC filed a Freedom of Information Act lawsuit asking a court to force the Department of Homeland Security to disclose documents about radiation testing results and agency fact sheets on radiation risks. For more information, see EPIC: EPIC v. DHS - Full Body Scanner Radiation Risks.

In celebration of Sunshine Week, EPIC published the EPIC FOIA Gallery: 2012. The gallery highlights key documents obtained by EPIC in the past year, including the Federal Bureau of Investigation's watch list guidelines, records of the Department of Homeland Security's social media monitoring program, Google's first Privacy Compliance Report, records detailing the government's FAST scanning program, records of the FBI's surveillance of Wikileaks supporters, and DHS records detailing the use of body scanners at the U.S. border. EPIC regularly files Freedom of Information Act requests and pursues lawsuits to force disclosure of critical documents that impact privacy. EPIC also publishes the authoritative FOIA litigation manual. For more, see EPIC Open Government and EPIC Bookstore: FOIA.

A popular video "How To Get Anything Through TSA Nude Body Scanners" show that it is easy to bypass airport body scanners by hiding materials perpendicular to the plane of the scanning devices. The video also notes that traditional metal detectors, now being removed from US airports, would routinely alert to the presence of metallic objects. Still more interesting may be the recent blog post by a 25-year FBI agent, expert in aviation security, who writes that the "TSA has never foiled a terrorist plot or stopped an attack on an airliner" and that "the entire TSA paradigm is flawed." In a federal lawsuit, EPIC challenged the TSA airport scanner program, calling it "invasive, unlawful, and ineffective." For more information, see EPIC v. DHS (Suspension of body scanners).

The Department of Homeland Security has released the 2011 Annual Data Mining Report. The report must include all of the Agency's current activities that fall within the legislative definition of "data mining." Among other things, this year's report references the Agency's programs to profile individuals entering or leaving the country to determine who should be subject to "additional screening." A FOIA request by EPIC in 2011 revealed that the FBI's standard for inclusion on the list is "particularized derogatory information," which has never been recognized by a court of law. The report also provides information on Secure Flight and Air Cargo Advanced Screening. For more information, see EPIC: FBI Watch List FOIA and EPIC: DHS Privacy Office.

EPIC has submitted a letter to Congress following a hearing on DHS monitoring of social networks and media organizations. In the letter, EPIC highlights new documents obtained as a result of a FOIA lawsuit and points out to inconsistencies in DHS' testimony about the program. Though DHS testified that it does not monitor for public reaction to government proposals, the documents obtained by EPIC indicate that the DHS analysts are specifically instructed to look for criticism of the agency and then to redirect reports that would otherwise be circulated to other agencies. EPIC wrote that the DHS' monitoring program should be suspended, as it exceeds the agency's statutory authority and chills First Amendment activity. For more information, see EPIC: EPIC v. DHS: Media Monitoring.

In a Statement for the Record, EPIC has asked the House Committee on Homeland Security to suspend a DHS program that has permitted the agency to gather comments critical of the agency and the government by monitoring social networks and media organizations. The hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy" was called after EPIC obtained nearly 300 pages of documents detailing the Department of Homeland Security's activities. The documents, obtained as a result of EPIC's Freedom of Information Act lawsuit, include instructions from the DHS to General Dynamics to monitor media reports that "reflect adversely" on the agency or the federal government. For more information see: EPIC v. Department of Homeland Security: Media Monitoring.

On February 16, 2012, the House Committee on Homeland Security will hold a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." The hearing was called after EPIC obtained nearly 300 pages of documents, as a result of a Freedom of Information Act lawsuit, detailing the Department of Homeland Security's monitoring of social networks and media organizations. The documents included guidelines from DHS instructing General Dynamics to monitor for media reports that "reflect adversely" on the agency or the federal government. For more information see: EPIC v. Department of Homeland Security: Media Monitoring.

As the result of EPIC v. DHS, a Freedom of Information Act lawsuit, EPIC has obtained nearly thee hundred pages of documents detailing a Department of Homeland Security's surveillance program. The documents include contracts and statements of work with General Dynamics for 24/7 media and social network monitoring and periodic reports to DHS. The documents reveal that the agency is tracking media stories that "reflect adversely" on DHS or the U.S. government. One tracking report -- "Residents Voice Opposition Over Possible Plan to Bring Guantanamo Detainees to Local Prison-Standish MI" -- summarizes dissent on blogs and social networking cites, quoting commenters. EPIC sent a request for these documents in April 2004 and filed suit against the agency in December. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring.

According to a draft memo, the Department of Homeland Security intends to require that all states comply with the agency's "Secure Communities" program by 2013. Secure communities is a controversial deportation program that relies on extensive data collection and biometric identification. Several states, including Illinois, New York and Massachusetts, objected to the federal program, citing mismanagement, and refused to participate. Previously, the DHS maintained that the program would be voluntary. For more, see EPIC: Secure Communities.

EPIC has submitted comments to the Department of Homeland Security, objecting to the agency's plan to disclose internal agency records to former DHS employees, third party employers, and foreign and international agencies. DHS plans to disclose criminal conviction records, employee records, and foreclosures, about a broad category of individuals, including members of the public, individuals who file administrative complaints with DHS, and even individuals who are named parties in cases "in which DHS believes it will or may become involved." All of this information is protected under the federal Privacy Act, but the DHS proposes to invoke the "routine use" exemption to allow disclosure. EPIC said the plan would "undermine privacy safeguards set out in the Privacy Act and would unnecessarily increase privacy risks for individuals whose records are maintained by the federal government." EPIC also noted that the agency has failed to allow sufficient time to meaningfully consider public comment on the plan. For more information, see EPIC: the Privacy Act of 1974.

EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy.

In comments to the Department of Homeland Security regarding a proposal to expand the Privacy Act "routine use" exemption, EPIC has said that the agency is exceeding its legal authority. The DHS is seeking to disclose information about current and former government employees, including members of the US Secret Service, for the the development of "civil, administrative, or background investigation." The information includes names, social security numbers, addresses, and dates of birth. The "routine use" exemption allows federal agencies to disclose personal information in their possession in certain, narrow circumstances, not for open-ended investigations. EPIC stated that the change would "undermine privacy safeguards set out in the Privacy Act and would unnecessarily increase privacy risks for individuals whose records are maintained by the federal government." For more information, see EPIC: the Privacy Act of 1974.

Through a Freedom of Information Act request, EPIC has obtained documents from the Department of Homeland Security about a secretive "pre-crime" detection program. The "Future Attribute Screening Technology" (FAST) Program gathers "physiological measurements" from subjects, including heart rate, breathing patterns, and thermal activity, to determine "malintent." According to the documents obtained by EPIC, the agency is considering the use of the device at conventions and sporting events, and has already conducted field testing. CNET first reported on the EPIC FOIA request. For more information, see: EPIC: Future Attribute Screening Technology Project.

The Department of Homeland Security has released the Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on Fusion Centers, Cybersecurity, and Cloud Computing activities of the agency. For more information, see EPIC: DHS Privacy Office.

On July 20, 2010, the Department of Homeland Security announced a substantial change in the deployment of body scanners in US airports. According to the DHS Secretary, the devices, which had once been part of a pilot program for seconary screening, will now be deployed in 28 additional airports. The devices are designed to capture and store photographic images of naked air travelers. EPIC has filed an emergency motion in federal court, urging the suspension of the program and citing violations of several federal statutes and the Fourth Amendment. Public opposition to the program is also growing. For more information, see EPIC v. DHS (Body scanners) and EPIC Body Scanners.

A federal judge has ruled against the Department of Homeland Security's Customs and Border Protection claim that agents could not only search the electronic devices of cross-border travelers without a warrant or even reasonable suspicion, they could also seize the devices indefinitely for more invasive searches. In United States v. Hanson, U.S. District Judge Jeffrey White ruled that "[g]iven the passage of time between the January and February searches and the fact that the February search was not conduct[ed] at the border, or its functional equivalent, the court concludes that the February search . . . must be justified by reasonable suspicion." Last October, EPIC and 20 other organizations sent a letter to the House Committee on Homeland Security objecting to this practice and other privacy violations. For more information, see EPIC: DHS Privacy Office.

The Department of Homeland Security has released the 2009 Freedom of Information Act Report. The report shows that the Department processed over 160,000 requests in the past year, with 27,182 requests remaining pending. Of the requests processed, 11% were granted in full, 60% were classified as "partial grants/partial denials," and the remaining 29% were denied in full. The overwhelming majority of backlogged requests and appeals are pending at the Customs and Immigration Service. For denied requests with processed appeals, nearly 30% were fully reversed on appeal, and another 32% were reversed in part. EPIC currently has two FOIA cases pending against the Department relating to its use of Body Scanner machines. For more information, see EPIC v. DHS, EPIC FOIA Litigation Docket.

House Homeland Security Committee Chairman Bennie Thompson has responded to the Privacy Coalition letter regarding the Chief Privacy Officer of the Department of Homeland Security. Chairman Thompson said that "the Committee is in the process of reviewing the programs outlined" in the letter, and thanked the Coalition for bringing the issues to the attention of the committee. He further stated that the Committee "will continue to examine the Department's programs and policies and vigorously address privacy concerns and issues." For more information, see EPIC DHS Privacy Office and Privacy Coalition.

In a letter to the Chief Privacy Officer of the Department of Homeland Security, EPIC asked when the annual privacy report will be made available. The Department is required by law to provide an annual report "on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters." The last privacy report was published in July 2008. EPIC has previously sent similar letters to the Department, reminding the agency of its legal obligation to inform the public about its activities. For more information, see EPIC’s Privacy Report Held Hostage page.

EPIC has filed a FOIA appeal with the Department of Homeland Security for the calendar of the Chief Privacy Officer. EPIC submitted the original request to find out why the DHS Privacy Officer could not meet with privacy groups in Washington, DC. The agency turned over many pages from the calendar, but the entries were all blacked out. In the appeal, EPIC said the agency has failed to comply with the open government law and also cited the President's commitment to government transparency concerning the activities of public officials. For more information, see EPIC Open Government.

Senator Schumer (D-NY) is proposing a new system to track all US workers to determine employment eligibility. The plan for the employment verifiability system involves the collection of biometric information. The Department of Homeland Security would approve or disapprove individuals for employment. Automated biometric identification systems raise questions about the scalability, reliability, accuracy, and security of the data collected. See EPIC Biometric Identification.

Background

Media Monitoring Services

On April 3, 2018, the Department of Homeland Security published a solicitation for “media monitoring services” (MMS). The agency sought a contractor to provide "traditional and social media monitoring and communications solutions,” including “media comparison tools, design and rebranding tools, communication tools, and the ability to identify top media influencers.”

The DHS's Statement of Work for the project called for three primary media monitoring capabilities. First, the agency sought the ability to “track online, print, broadcast, cable, radio, trade and industry publications, local sources, national/international outlets, traditional news sources, and social media.” This would include the capacity to monitor over “290,000 global news sources” in over “100 languages” and to “create unlimited data tracking, statistical breakdown, and graphical analysis on any coverage on an ad-hoc basis.”

Second, the DHS sought “Media Intelligence and Benchmarking Dashboard Platform” to conduct “real-time monitoring” and analysis of media coverage. This platform would enable to DHS to “analyze the media coverage in terms of content, volume, sentiment, geographical spread, top publications, media channels, reach, [advertising value equivalency], top posters, influencers, languages, momentum, [and] circulation.” The platform would include the ability to “build media lists based on beat, location, outlet type/size, and journalist role.” The DHS also sought the development of a mobile app and email alerts to monitor media coverage.

Third, the DHS sought the creation of an internal “media influencer database,” which would collect and retain the locations, contact information, employer affiliations, and past coverage of untold numbers of “journalists, editors, correspondents, social media influencers, bloggers, etc.” The database would be searchable in multiple languages by “keywords, concepts, [and] Boolean search terms.”

The DHS’s announcement that it was developing a suite of media monitoring tools drew widespread criticism due the threat the project poses to privacy and press freedoms. Michelle Fabio, writing in Forbes, warned that the DHS’s planned use of MMS is “enough to cause nightmares of constitutional proportions, particularly as the freedom of the press is under attack worldwide.”

The DHS's Obligations Under the E-Government Act

Under Section 208 of the E-Government Act of 2002, any agency that "develop[s] or procur[es] information technology that collects, maintains, or disseminates information that is in an identifiable form" is required to complete a Privacy Impact Assessment (PIA) before doing so. Specifically, the agency must "(i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and (iii) if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means."

A Privacy Impact Assessment must be "commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information." The PIA must specifically address "(I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; [and] (VI) how the information will be secured."

The DHS’s media monitoring tools will necessarily collect and store personally identifiable information from individuals identified in the media coverage tracked by the DHS. The DHS’s media influencer database will also include personally identifiable information about journalists, bloggers, and social media users. Because the DHS has begun “developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form” and “a new collection of information that . . . includes [] information in an identifiable form permitting the physical or online contacting of a specific individual[.]” the agency was required to conduct and publish an applicable PIA in advance.

The DHS's Failure to Publish a Privacy Impact Assessment

On April 13, 2018, EPIC submitted a Freedom of Information Act (FOIA) request to the DHS seeking:

2. Any associated agency records including but not limited to policy guidelines, memoranda, email communications, and Privacy Threshold Analysis related to “Media Monitoring Services," and

3. All awarded contracts for “Media Monitoring Services.”

On May 30, 2018—after the agency had unlawfully failed to fulfill EPIC's FOIA request within the time allowed by law—EPIC filed suit in the U.S. District Court for the District of Columbia. EPIC explained that the DHS had violated both the FOIA and the E-Government Act by neglecting to disclose a Privacy Impact Assessment and related records. On July 11, 2018, the DHS responded to EPIC's complaint and acknowledged that the agency had failed to complete any PIA related to Media Monitoring Services. On October 11, 2018, the DHS disclosed 73 pages of records (some partially redacted) to EPIC while asserting that 157 other pages are exempt from disclosure in full. EPIC's case is ongoing.

EPIC's Interest

EPIC has long highlighted the obligation of federal agencies to conduct and publish a Privacy Impact Assessment before any new collection of personal data, and EPIC has brought numerous successful cases seeking the release of PIAs. In EPIC v. DHS, No. 11-2261 (D.D.C. filed Dec. 20, 2011), EPIC obtained a PIA and related records concerning a prior effort by the DHS to track social media users and journalists. In EPIC v. FBI, No. 14-1311 (D.D.C. filed Aug. 1, 2014), EPIC obtained unpublished PIAs from the Federal Bureau of Investigation concerning facial recognition technology. And in EPIC v. DEA, No. 15-667 (D.D.C. filed May 1, 2015), EPIC learned that the Drug Enforcement Administration had failed to produce PIAs for the agency’s license plate reader program, a telecommunications records database, and other systems of public surveillance.

More recently, in EPIC v. Presidential Advisory Commission on Election Integrity, No. 17-1320 (D.D.C. filed July 3, 2017), EPIC challenged the failure of the Presidential Advisory Commission on Election Integrity to undertake and publish a PIA prior to the collection of state voter data. EPIC’s suit led the now-defunct Commission to suspend its data collection and delete voter information that had been illegally obtained.

FOIA Documents

On October 11, 2018, the DHS disclosed 73 pages of records to EPIC (many of them partially redacted) concerning Media Monitoring Services. The records reveal that the DHS bypassed the agency's own privacy officials in developing MMS and ignored the threats that the system poses to privacy and press freedoms.

For example, despite the agency's obligation to conduct a Privacy Impact Assessment before developing a system that collects personal data, top DHS privacy officials appeared unaware that a media monitoring project was being launched. On April 6, 2018, a senior privacy official at the DHS's National Protection and Programs Directorate (NPPD) wrote to other agency personnel about the MMS program. Although the DHS had published the MMS Statement of Work three days earlier, the privacy official seemed unsure if that document was even authentic:

I wanted to make you both aware that I've seen a few news organizations (Forbes and Bloomberg) carrying a story claiming DHS is compiling a database of journalists and media influencers in what appears to be an NPPD Statement of Work (SOW) posted on FedBizOps.gov.

On April 9, 2018—six days after the agency published the Statement of Work—an official from the central DHS Privacy Office expressed similar surprise about the existence of the MMS program:

Per the article below, we noticed that NPPD has put out a Statement of Work to gather and monitor the public activities of media professionals and influencers. PRIV found this interesting given the work the OPS NOC Media Monitoring Capability does & the privacy perimeters within which they work. Could you shed some light on this topic?

Meanwhile, the Director of the DHS Office of Legislative Affairs had to write to other senior agency officials to confirm whether press accounts of the program were accurate.

The records obtained by EPIC also show that Rep. Bennie G. Thompson (D–MS) wrote to the agency to express grave concerns about the MMS program and the agency's poor handling of public opposition:

As you may be aware, the RFI [for Media Monitoring Services] has raised a great deal of concern among some journalists and the public. Unfortunately instead of assuaging that concern with information, DHS' press secretary maligned those asking questions about the RF1 as "tin foil hat-wearing, black helicopter conspiracy theorists," which was inappropriate and unhelpful. Indeed, DHS' response only exacerbated the concerns of those troubled by the RFI, including myself.

…

While there may be a legitimate purpose for certain media monitoring services, to date the Department has failed to provide one. Moreover, it has not provided specific information about how media monitoring services will advance its mission and how it will protect data about journalists and other media influencers from misuse or falling into the wrong hands.

Tyler Q. Houlton, the DHS spokesman referenced in Rep. Thompson's letter, published a defensive op-ed in USA Today in support of the MMS program. In the records obtained by EPIC, Houlton dismissed USA Today as "the coloring book of newspapers" and stated that the paper "wouldn't be able to handle" any "in-depth operational arguments."

The DHS has asserted that another 157 pages of records responsive to EPIC's request are exempt from disclosure under the FOIA.